specificity in root account email requirement (xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias)

Question

The test for xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias is looking specifically for root: system.administrator@mail.mil in /etc/aliases and OpenSCAP remediation automatically adds that. The real issue to address is to make sure there is an active email address set for root email, yet as implemented I cannot actually set this to an address that I monitor and still pass the test.

Is there some way to modify this behavior that I'm not aware of? I can tailor out the test entirely, but I'd rather not as it seems the intent of this test should be able to be satisfied.

https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-anssi_bp28_high.html#xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias

Answer 1

The email address is a variable. You will need to create a so-called tailoring file in which you would set a different value for the variable. Then, when you will run the scan of the target system, you will pass the tailoring file to the oscap command alongisde to the SCAP source data stream.

The tailoring file can be created either using the SCAP Workbench GUI utility, or by the autotailor script provided by the openscap-utils package or manually by a text editor.

In SCAP Workbench, load your SCAP source data stream, select profile in the Profile drop down box, click on Customize button (next to the Profile drop down box). Create a new profile ID. Click on OK. A new window will appear. Put var_postfix_root_mail_alias into the search box at the top of the window and click on Search. On the right side of the window, under Modify Value, modify the email address. Click on OK. It will return back to the main window. Then, click on File and then Save Customization Only and save a file somewhere, eg. to tailoring.xml.

The tailoring file can look like this: https://paste.centos.org/view/d2a488b0, note the <xccdf:set-value idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias">john@gmail.com</xccdf:set-value> in there.

With the autotailor script, you can generate the tailoring file on command line. For example, if you want to create it for RHEL 9 STIG profile, you can run: autotailor -v var_postfix_root_mail_alias='john@gmail.com' -o tailoring.xml -p customized /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml xccdf_org.ssgproject.content_profile_stig.

Then, when you will use the oscap command, you will pass the generated tailoring file using the --tailoring-file tailoring.xml option and you will use --profile customized to choose the customized profile containing the modified email address.

A frequent mistake is using the ID of the original profile when using tailoring files with the oscap command. You need to pass the ID of the custom profile to the oscap command.

The modified variable will also modify the bash remediation.